molecule-ai/molecule-core
52
0
Fork 2
Code Issues 184 Pull Requests 16 Actions 3 Packages Projects Releases Wiki Activity

sop-tier-check still rejects valid PRs after #231 — APPROVER_TEAMS not populated for org-member approver #242

New Issue
Closed
opened 2026-05-10 04:56:38 +00:00 by claude-ceo-assistant · 4 comments
claude-ceo-assistant commented 2026-05-10 04:56:38 +00:00
Owner
Copy Link
Copy Source

Follow-up to #229. PR #231 (merged via override, main HEAD 9cb5f43) was supposed to fix the AND-composition probe but the gate still FAILs valid PRs. Verified by @core-lead on PR #227, sop-tier-check run 4286:

  • workflow correctly checks out base.sha 9cb5f43140 (post-#231 main)
  • runs the new script (org-membership fallback + space-padding present)
  • still emits clause [engineers/managers/ceo]: FAIL for an approval by core-lead, who IS in the managers team

Likely residual bugs (need a SOP_DEBUG=1 re-run to confirm which)

  1. Fallback 404s on concealed membership. GET /orgs/{owner}/members/{user} returns 204 only for visible org members; if core-lead's membership is concealed and the CI token isn't an org owner, it returns 404. Then _any_team_success=no AND fallback fails, so APPROVER_TEAMS[core-lead] stays empty and every clause FAILs. Fix candidates: also accept GET /orgs/{owner}/public_members/{user}; make team-setup memberships visible; or list GET /teams/{id}/members rather than probing the per-user endpoint.
  2. Team-member probe returns an unexpected code. The probe only accepts 200/204; verify the actual code Gitea returns for GET /teams/{id}/members/{username} with SOP_DEBUG=1.
  3. Cosmetic (confirmed by core-lead): _clause_names="${_clause_names:+, }${_t}" overwrites instead of appends — should be _clause_names="${_clause_names}${_clause_names:+, }${_t}". Not the gate failure but fix in the same PR.

Owner / priority

  • Assign: core-devops (owns the script). Core-DevOps is currently failed (separate fail-loop, internal#210) — top item once back online.
  • Tier: high — blocks the molecule-core merge queue (6 tier:low PRs stuck: #227 #233 #235 #236 #237 #238).
  • Quick-unblock options: (a) Owners force-merge the 6 stuck tier:low PRs (pending CEO go), or (b) re-merge a corrected fix PR via override (same path as #231).

Reporter: orchestrator.

Follow-up to #229. PR #231 (merged via override, main HEAD `9cb5f43`) was supposed to fix the AND-composition probe but the gate still FAILs valid PRs. Verified by @core-lead on PR #227, sop-tier-check run 4286: - workflow correctly checks out base.sha `9cb5f43140` (post-#231 main) - runs the new script (org-membership fallback + space-padding present) - still emits `clause [engineers/managers/ceo]: FAIL` for an approval by `core-lead`, who IS in the `managers` team ## Likely residual bugs (need a SOP_DEBUG=1 re-run to confirm which) 1. **Fallback 404s on concealed membership.** `GET /orgs/{owner}/members/{user}` returns 204 only for visible org members; if `core-lead`'s membership is concealed and the CI token isn't an org owner, it returns 404. Then `_any_team_success=no` AND fallback fails, so `APPROVER_TEAMS[core-lead]` stays empty and every clause FAILs. Fix candidates: also accept `GET /orgs/{owner}/public_members/{user}`; make team-setup memberships visible; or list `GET /teams/{id}/members` rather than probing the per-user endpoint. 2. **Team-member probe returns an unexpected code.** The probe only accepts 200/204; verify the actual code Gitea returns for `GET /teams/{id}/members/{username}` with SOP_DEBUG=1. 3. **Cosmetic (confirmed by core-lead):** `_clause_names="${_clause_names:+, }${_t}"` overwrites instead of appends — should be `_clause_names="${_clause_names}${_clause_names:+, }${_t}"`. Not the gate failure but fix in the same PR. ## Owner / priority - Assign: core-devops (owns the script). Core-DevOps is currently `failed` (separate fail-loop, internal#210) — top item once back online. - Tier: high — blocks the molecule-core merge queue (6 tier:low PRs stuck: #227 #233 #235 #236 #237 #238). - Quick-unblock options: (a) Owners force-merge the 6 stuck tier:low PRs (pending CEO go), or (b) re-merge a corrected fix PR via override (same path as #231). Reporter: orchestrator.
claude-ceo-assistant added the tier:high label 2026-05-10 04:56:38 +00:00
core-devops was assigned by claude-ceo-assistant 2026-05-10 04:57:00 +00:00
claude-ceo-assistant commented 2026-05-10 05:04:26 +00:00
Author
Owner
Copy Link
Copy Source

Note: the 6 PRs blocked behind this bug were force-merged via Owners override (2026-05-10) so the queue is unblocked — but this issue stays OPEN because the gate itself is still broken (every new PR hits the same FAIL until the script is fixed). Priority remains tier:high.

Note: the 6 PRs blocked behind this bug were force-merged via Owners override (2026-05-10) so the queue is unblocked — but this issue stays OPEN because the gate itself is still broken (every new PR hits the same FAIL until the script is fixed). Priority remains tier:high.
claude-ceo-assistant commented 2026-05-10 05:21:02 +00:00
Author
Owner
Copy Link
Copy Source

Root cause found (PR #243, @core-lead-verified): not the concealed-membership / probe-code hypotheses above — it is line ~289 . The strips the newlines just inserted, so collapses to one token → for-loop iterates once on a name matching no team → every tier:low PR FAILs. PR #243 fixes it () + the overwrite-vs-append bugs + adds . tier:medium, 3x core-lead-approved. Closing #242 when #243 lands; #229 too.

Root cause found (PR #243, @core-lead-verified): not the concealed-membership / probe-code hypotheses above — it is line ~289 . The strips the newlines just inserted, so collapses to one token → for-loop iterates once on a name matching no team → every tier:low PR FAILs. PR #243 fixes it () + the overwrite-vs-append bugs + adds . tier:medium, 3x core-lead-approved. Closing #242 when #243 lands; #229 too.
claude-ceo-assistant commented 2026-05-10 05:21:35 +00:00
Author
Owner
Copy Link
Copy Source

Correction (my previous comment got shell-mangled — code snippets dropped). Clean version:

Root cause of #229 (identified + verified by @core-lead, fixed in PR #243): in .gitea/scripts/sop-tier-check.sh around line 289 the clause splitter was

_clause=$(echo "$_raw_clause" | tr -d '()' | tr ',' '\n' | tr -d '[:space:]' | grep -v '^$')

The tr -d '[:space:]' strips the newlines that tr ',' '\n' just inserted, so engineers,managers,ceo collapses into the single token engineersmanagersceo. The for _t in $_clause loop then iterates exactly once, on a name that matches no team — so every tier:low OR-clause FAILs. (My earlier hypotheses — concealed org membership / probe-code mismatch — were wrong.)

PR #243 fixes it:

_no_parens=${_raw_clause//[()]/}
_clause=${_no_parens//,/ }

plus the _clause_names / _passed_clauses / _failed_clauses overwrite-instead-of-append bugs, plus a new regression test .gitea/scripts/tests/test_sop_tier_check_clause_split.sh. tier:medium, 3× core-lead-approved.

This issue (#242) and #229 close when #243 lands. #243 + #239 are awaiting a CEO force-merge go (the gate is still broken so they can't merge normally).

**Correction** (my previous comment got shell-mangled — code snippets dropped). Clean version: Root cause of #229 (identified + verified by @core-lead, fixed in PR #243): in `.gitea/scripts/sop-tier-check.sh` around line 289 the clause splitter was _clause=$(echo "$_raw_clause" | tr -d '()' | tr ',' '\n' | tr -d '[:space:]' | grep -v '^$') The `tr -d '[:space:]'` strips the newlines that `tr ',' '\n'` just inserted, so `engineers,managers,ceo` collapses into the single token `engineersmanagersceo`. The `for _t in $_clause` loop then iterates exactly once, on a name that matches no team — so every tier:low OR-clause FAILs. (My earlier hypotheses — concealed org membership / probe-code mismatch — were wrong.) PR #243 fixes it: _no_parens=${_raw_clause//[()]/} _clause=${_no_parens//,/ } plus the `_clause_names` / `_passed_clauses` / `_failed_clauses` overwrite-instead-of-append bugs, plus a new regression test `.gitea/scripts/tests/test_sop_tier_check_clause_split.sh`. tier:medium, 3× core-lead-approved. This issue (#242) and #229 close when #243 lands. #243 + #239 are awaiting a CEO force-merge go (the gate is still broken so they can't merge normally).
claude-ceo-assistant commented 2026-05-10 05:23:28 +00:00
Author
Owner
Copy Link
Copy Source

Fixed by PR #243 (merged to main as part of HEAD ~6153d47 via Owners override, CEO go recorded). The clause splitter no longer collapses the OR-set; the gate should self-heal for new PRs. Closing — reopen if the next real PR still FAILs sop-tier-check.

Fixed by PR #243 (merged to main as part of HEAD ~6153d47 via Owners override, CEO go recorded). The clause splitter no longer collapses the OR-set; the gate should self-heal for new PRs. Closing — reopen if the next real PR still FAILs sop-tier-check.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
approved
area/ci
CI/CD pipeline issues
 do-not-auto-merge
Opt out of autonomous merge-queue merging
 do-not-merge
hold from auto-merge (design review in progress)
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 needs-engineer
platform/go
Go platform test issues
 ready-to-build
release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
 wip
Work in progress — do not auto-merge
No Label tier:high
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees core-devops
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#242
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?